FDA Outlines Medical Device Cybersecurity Goals

June 16, 2021 - In response to the National Institute of Standards and Technology’s (NIST) workshop and call for position papers to aid them in delivering on President Biden’s cybersecurity executive order, the FDA voiced its support and concerns about medical device cybersecurity in particular, and the need for OT and IT security standards.  

On May 12th, President Biden signed an executive order on improving the nation’s cybersecurity, and called on NIST to establish “new standards, tools, and best practices.”

The executive order stated that “the guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.”

The executive order came after a string of ransomware attacks on the healthcare sector over the past year, along with an attack on the Colonial Pipeline in Texas that disrupted thousands of miles of its fuel supply chain. The recently launched Ransomware and Digital Extortion Task Force aims to combat the growing cybersecurity threats, but Biden’s executive order shows that a nationwide response is needed.

After the release of the executive order, NIST hosted a virtual workshop in early June and called for position papers in an effort to fulfill the orders by the required deadlines. NIST, per the order of the president, established the workshop and position papers to collaborate with the private sector, federal agencies, and industry experts, and agree on security standards.

READ MORE: FDA Names First Acting Director of Medical Device Cybersecurity

“These papers from organizations and individuals will be reviewed for their diversity of ideas in order to ensure that NIST considers a wide range of approaches for achieving the goal of the EO and that the standards and guidelines identified are practical and effective,” the NIST announcement stated.

“NIST seeks to build on existing approaches and capabilities to avoid duplication and to speed implementation of needed security steps while also encouraging creative thinking and new approaches.”

The FDA recently responded to NIST’s call for position papers, stating: “Cybersecurity is crucial for medical device safety and effectiveness. Critical functions are shifting from on-premises software infrastructure to distributed and remote infrastructure, including newly essential cloud services depended upon during the diagnosis and treatment of disease.”

The FDA provided detailed responses to the five areas that NIST was seeking feedback on, based on President Biden’s requests. First, the executive order requested criteria for defining “critical software,” to be completed within 45 days of the release of the executive order.

“That definition shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised,” the executive order stated.

READ MORE: Biden’s Executive Order to Boost Threat Sharing, Supply Chain Security

In response, the FDA stressed that “software supply chain security is one essential part of managing risk to patients.” Critical software, according to the FDA, may include any device, EHR system, cloud service, or any software that is necessary for safe and effective use of any given device.

Responding to NIST’s question about standards for federal purchasing, the FDA listed a number of medical device security standards that should be taken into consideration when purchasing technologies. From the Joint Security Plan to the International Medical Device Regulators Forum (IMDRF), the FDA already has processes in place to ensure security, that could be incorporated into NIST’s plan.

Regarding NIST’s call for guidelines “outlining security measures that shall be applied to the federal government’s use of critical software,” the FDA voiced its support for NIST’s goals of developing guidelines and regulations for this area of cybersecurity, particularly for science-driven security testing and SBOMs, or software bill of materials. SBOMs give a detailed list of all components in a software product.

The FDA also provided feedback on NIST’s inquiry on minimum requirements for testing software source code, and its question on standards for software integrity chains.

“FDA urges NIST and the National Telecommunications and Information Administration (NTIA) to continue with and enhance their present approaches to the development of standards and guidelines for Operational Technology (OT) security by leveraging experts from across the public and private sectors,” the statement continued.

“Increasing communications on existing science and engineering principles, standards, and guidance can translate into improvements in OT cybersecurity, which has a fundamentally different risk management calculus from traditional IT cybersecurity.”